Any attack that allows a user to gain unauthorized access to a network is called an intrusion attack. One common security problem facing large organizations is the attachment of unauthorized (or rogue) access points (APs) to corporate networks. The rogue AP creates a “hole” through which unauthorized clients can connect, bypassing various security measures that the IT department may have put in place. A similar attack can be carried out by using ad-hoc wireless networks instead of APs. Another way a corporate, or any specific network may be compromised is when an attacker finds and uses an unsecured AP connected to the network by an unsuspecting employee. The widespread availability of inexpensive, easy-to-deploy APs and wireless routers has exacerbated this problem.
For example, an employee might bring in a wireless AP from home, plug it in to the corporate network without configuring it to require the necessary authentication, and thereby compromise the security of the corporate network. There also are many other scenarios whereby rogue wireless equipment may be connected to a corporate network. For example, a disgruntled employee may deliberately attach an unauthorized AP to the corporate network.
Unfortunately, once an unauthorized AP is attached to any specific network, the security of the network is compromised, even if all the authorized APs are configured to use appropriate authentication mechanisms. Once an unauthorized AP is set up, an unauthorized client may gain access to that specific network without having physical access to the premises of the organization. Thus, detecting these unauthorized or rogue APs is an important challenge.
At first glance, this problem may seem relatively straightforward. An organization simply needs to maintain a database of all authorized APs, which includes the Service Set Identifier (SSID) and Basic Service Set Identifier (BSSID) for every authorized AP. An alarm is raised whenever an unknown SSID and/or BSSID is heard by a wireless sensor. Such sensors can be an AP, a mobile client, a desktop PC with a Wi-Fi network interface, or a dedicated sensor node. All one needs to worry about is how to provide a sufficiently dense deployment of these sensors.
This is the basic mechanism that has been proposed in previous systems, and many wireless management companies offer rogue AP detection as part of their product offerings. Unfortunately, this simplified and seemingly straightforward approach is susceptible to both false negatives and false positives. That is, due to the variety of intrusion attacks that are possible, these simplified approaches often cannot detect the rogue AP, i.e. a false negative. Additionally, due to the deployment of wireless networks at other businesses that may be in hearing range of a wireless sensor, the detection of an AP that is not in the database does not always mean that it is a rogue AP connected to the specific network of concern, i.e. a false positive. Both such failures to properly detect rogue APs present continuing problems for the corporate IT department personnel, as well as allowing serious security breaches to remain.